P
US9843572B2ActiveUtilityPatentIndex 83

Distributing an authentication key to an application installation

Assignee: AIRWATCH LLCPriority: Jun 29, 2015Filed: Jun 29, 2015Granted: Dec 12, 2017
Est. expiryJun 29, 2035(~9 yrs left)· nominal 20-yr term from priority
Inventors:RYKOWSKI ADAM STEPHEN
H04L 9/3242H04L 63/0823H04L 63/06H04L 9/3268H04L 63/0807
83
PatentIndex Score
6
Cited by
44
References
20
Claims

Abstract

Disclosed are various examples for facilitating distribution of an authentication code to installation of managed applications. An identity certificate is sent to a device by installing a configuration profile on the client device. The configuration profile includes the identity certificate. A management service can also initiate installation of a managed application. The identity certificate can be used to authenticate the client device so that an authentication key can be provided to the managed application.

Claims

exact text as granted — not AI-modified
Therefore, the following is claimed: 
     
       1. A non-transitory computer-readable medium embodying a program executable in a computing device, the program, when executed by the computing device, being configured to cause the computing device to at least:
 transmit an identity certificate to a client device, the identity certificate uniquely associated with a user account and specifying which applications installed on the client device have permission to access the identity certificate, the identity certificate further being installed as a certificate profile by an operating system executed by the client device; 
 initiate an installation of an instance of an application on the client device; 
 receive a request to access content from the instance of the application; 
 transmit a request for the identity certificate to the client device, wherein the request is intercepted by the operating system executed by the client device; 
 receive the identity certificate from the client device; 
 validate an identity of the user account based upon whether the identity certificate received from the client device matches the identity certificate transmitted to the client device without first requiring comparison of a username or a password corresponding to a user; 
 generate an authentication key in response to validation of the identity of the user account, the authentication key being associated with the instance of the application; and 
 transmit the authentication key to the client device to be stored in access-restricted storage such that access by other applications on the client device is prohibited by the operating system, wherein the instance of the application provides the authentication key to authenticate the application for access to a network resource without first requiring comparison of the username or the password corresponding to the user. 
 
     
     
       2. The non-transitory computer-readable medium of  claim 1 , wherein the authentication key comprises at least one of a keyed-hash message authentication code (HMAC) or a session token that is associated with the instance of the application. 
     
     
       3. The non-transitory computer-readable medium of  claim 1 , wherein the authentication key is transmitted to the instance of the application executed by the client device. 
     
     
       4. The non-transitory computer-readable medium of  claim 1 , wherein the request for the identity certificate comprises a hypertext transfer protocol (HTTP) response with status code  401 . 
     
     
       5. The non-transitory computer-readable medium of  claim 1 , wherein the request for the identity certificate is generated in response to a determination that the instance of the application is not associated with the authentication key, wherein the authentication key is associated with the user account in a data store accessible to the computing device. 
     
     
       6. The non-transitory computer-readable medium of  claim 1 , the program further being configured to cause the computing device to at least:
 receive a request for access to content from the client device; and 
 authenticate the client device based upon whether the request for access to content from the client device contains the authentication key. 
 
     
     
       7. The non-transitory computer-readable medium of  claim 1 , the program further being configured to cause the computing device to at least revoke the authentication key by disassociating the instance of the application from the authentication key in a data store accessible to the computing device. 
     
     
       8. A system, comprising:
 at least one computing device comprising one or more processors and memory; and 
 a management service executable by the at least one computing device, the management service configured to cause the at least one computing device to at least:
 transmit an identity certificate to a client device, the identity certificate uniquely associated with a user account and specifying which applications installed on the client device have permission to access the identity certificate, the identity certificate further being installed as a certificate profile by an operating system executed by the client device; 
 initiate an installation of an instance of an application on the client device; 
 receive a request to access content from the instance of the application; 
 transmit a request for the identity certificate to the client device, wherein the request is intercepted by the operating system executed by the client device; 
 receive the identity certificate from the client device; 
 validate an identity of the user account based upon whether the identity certificate received from the client device matches the identity certificate transmitted to the client device without first requiring comparison of a username or a password corresponding to a user; 
 generate an authentication key in response to validation of the identity of the user account, the authentication key being associated with the instance of the application; and 
 transmit the authentication key to the client device to be stored in access-restricted storage such that access by other applications on the client device is prohibited by the operating system, wherein the instance of the application provides the authentication key to authenticate the application for access to a network resource without first requiring comparison of the username or the password corresponding to the user. 
 
 
     
     
       9. The system of  claim 8 , wherein the authentication key comprises at least one of a keyed-hash message authentication code (HMAC) or a session token that is associated with the instance of the application. 
     
     
       10. The system of  claim 8 , wherein the authentication key is transmitted to the instance of the application executed by the client device. 
     
     
       11. The system of  claim 8 , wherein the request for the identity certificate comprises a hypertext transfer protocol (HTTP) response with status code  401 . 
     
     
       12. The system of  claim 8 , wherein the request for the identity certificate is generated in response to a determination that the instance of the application is not associated with the authentication key, wherein the authentication key is associated with the user account in a data store accessible to the at least one computing device. 
     
     
       13. The system of  claim 8 , wherein the management service is further configured to:
 receive a request for access to content from the client device; and 
 authenticate the client device based upon whether the request for access to content from the client device contains the authentication key. 
 
     
     
       14. The system of  claim 8 , wherein the management service is further configured to cause the at least one computing device to at least revoke the authentication key by disassociating the instance of the application from the authentication key in a data store accessible to the at least one computing device. 
     
     
       15. A method, comprising:
 transmitting an identity certificate to a client device, the identity certificate uniquely associated with a user account and specifying which applications installed on the client device have permission to access the identity certificate, the identity certificate further being installed as a certificate profile by an operating system executed by the client device; 
 initiating an installation of an instance of an application on the client device; 
 receiving a request to access content from the instance of the application; 
 transmitting a request for the identity certificate to the client device, wherein the request is intercepted by the operating system executed by the client device; 
 receiving the identity certificate from the client device; 
 validating an identity of the user account based upon whether the identity certificate received from the client device matches the identity certificate transmitted to the client device without first requiring comparison of a username or a password corresponding to a user; 
 generating an authentication key in response to validation of the identity of the user account, the authentication key being associated with the instance of the application; and 
 transmitting the authentication key to the client device to be stored in access-restricted storage such that access by other applications on the client device is prohibited by the operating system, wherein the instance of the application provides the authentication key to authenticate the application for access to a network resource without first requiring comparison of the username or the password corresponding to the user. 
 
     
     
       16. The method of  claim 15 , wherein the authentication key comprises at least one of a keyed-hash message authentication (HMAC) code or a session token that is associated with the instance of the application. 
     
     
       17. The method of  claim 15 , wherein the authentication key is transmitted to the instance of the application executed by the client device. 
     
     
       18. The method of  claim 15 , wherein the request for the identity certificate is generated in response to a determination that the instance of the application is not associated with the authentication key, wherein the authentication key is associated with the user account. 
     
     
       19. The method of  claim 15 , further comprising:
 receiving a request for access to content from the client device; and 
 authenticating the client device based upon whether the request for access to content from the client device contains the authentication key. 
 
     
     
       20. The method of  claim 15 , further comprising revoking the authentication key by disassociating the instance of the application from the authentication key in a data store.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.